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Robustness analyzes the impact of small perturbations in the semantics of a model. This allows 
to model hardware imprecision and therefore it has been applied to determine implementability of 
timed automata. In a recent paper, we extend this problem to a specification theory for real-timed 
systems based on timed input/output automata, that are interpreted as two-player games. We propose 
a construction that allows to synthesize an implementation of a specification that is robust under a 
given timed perturbation, and we study the impact of these perturbations when composing different 
specifications. 

To complete this work we present a technique that evaluates the greatest admissible perturbation. 
It consists in an iterative process that extracts a spoiling strategy when a game is lost, and through a 
parametric analysis refines the admissible values for the perturbation. We demonstrate this approach 
with a prototype implementation. 



1 Introduction 



Component-based design is a software development paradigm well established in the software engineer- 
ing industry. In component-based design, larger systems are built from smaller modules that depend 
on each other in well delimited ways described by interfaces. The use of explicit interfaces encourages 
creation of robust and reusable components. Specification theories provide a language for specifying 
component interfaces together with operators for combining them, such as parallel composition, along 
with algorithms for verification based on refinement checking. 

For real-time systems, timed automata [5] are the classical specification language. Designs specified 
as timed automata are traditionally validated using model-checking against correctness properties ex- 
pressed in a suitable timed temporal logic iYl\ . Mature modeling and model-checking tools exist, such 
as Uppaal [9], that implement this technique and have been applied to numerous industrial applications. 

In [15], the authors proposed a specification theory for real time systems, based on an input/output 
extension of timed automata model to specify both models and properties. It uses refinement checking 
instead of model-checking to support compositionality of designs and proofs from ground up. The 
set of state transitions of the timed systems is partitioned between inputs, representing actions of the 
environment, and outputs that represent the behaviour of the component. The theory is equipped with 
a game-based semantic. The two players, Input and Output, compete in order to achieve a winning 
objective — for instance safety or reachability. 

The theory of [15l is equipped with a compatibility check and a consistency check that allows to 
decide whether a specification can indeed be implemented. Unfortunately, this check does not take 
limitations and imprecision of the physical world into account. This is best explained with an example. 
Consider the specification of a coffee machine in Fig.[T] This machine first ask for the choice of a drink, 
then awaits a coin, and after receiving the payment it delivers the coffee. If the payment does not arrive 
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Figure 1 : Non robust specifi- 
cation of a coffee macliine 



within 6 time units, the machine aborts the drink selection and returns 
to the initial state, awaiting a new choice of a beverage. Already in this 
simple example it is quite hard to see, that implementing a component 
satisfying this specification is not quite possible due to a subtle mistake. 
Observe that the two first steps of the machine are controlled by the en- 
vironment, and not the system itself. Thus any implementation has to be 
able to accept the following behaviour: first choice? and then the coin? 
arriving precisely 6 time units after the choice. However then we arrive 
at the state (Serving, j = 6) which requires that the coffee (cof !) must be 
delivered immediately, in zero time. No physical system would permit 
this, so we say that this state is not robustly consistent. 

The above example can be fixed easily by adding another reset to 
clock y, when the coin? message is received. It is probably the intended 
behaviour of the specification that the serving should take 6 time units 

from the insertion of the coin, and not from the choice of the drink. Finding such errors in specifica- 
tions is even harder in larger designs as non-robust timing can emerge in the compositions of multiple 
specifications, as a result of combing behaviours that themselves are robust. 

The timing precision errors in specifications are not handled in any way in idealized interface theories 
such as |15ii4J- These and similar issues have let to a definition of the so called timing robustness problem 
that checks if a model can admit some timing perturbations while preserving a desired property. The 
robustness problem has been studied in various works for timed automata and it has been linked to the 
implementability problem f25l . In f^Ol , we extend the specification theory of f\S\ to support robustness 
analysis. We check robust consistency and robust compatibility under the assumption of a given small 
perturbation. However, we were not able to decide if any perturbation can be admitted, neither determine 
the maximum amount. That is the goal of this paper, to address the parametric problems for robust 
consistency and robust compatibility. Our contributions include: 

• We present a technique that evaluates the greatest admissible perturbation for the robustness prob- 
lems. We apply a counterexample abstraction refinement-like teclinique, that analyzes parametri- 
cally the results of lost timed games in order to refine the value of the perturbation. 

• We introduce a prototype tool that implements this technique and some other functionalities from 
thetheory of HI. 

• We demonstrate the performances compared to a simple binary search technique for finding an 
optimal precision value. 



Related works The robust semantics for timed automata with clock drifts has been introduced by 
Puri II22II . The problem has been linked to the implementation problem in ||25]| . which introduced the 
first semantics that modeled the hardware on which the automaton is executed. In this work, the authors 
proposed a robust semantics of Timed Automata called AASAP semantics (for "Almost As Soon As 
Possible"), that enlarges the guards of an automaton by a delay A. This work has been extended in 1241 
that proposes another robust semantics with both clock drifts and guard enlargement. Extending ll22i they 
solve the robust safety problem, defined as the existence of a non-null value for the imprecision. They 
show that in terms of robust safety the semantics with clock drifts is just as expressive as the semantics 
with delay perturbation. 

Robust timed games have been studied in [13]. In [20], we adapt their technique to check robust 
consistency and robust compatibility. 
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Robustness is defined in (24) as the existence of a positive value for the imprecision of a timed 
automata. They prove that this problem is decidable, but they do not synthesize the value. A bound 
on the value is computed in [ 10 1. Finally a quantitative analysis is performed in [19] that computes the 
greatest admissible value for the perturbation, but the method is restricted to timed automata without 
nested loops. We propose an approximation technique that evaluates this value in the context of timed 
specifications, with no major restrictions on syntax of the specifications. 

Organization of the paper: We introduce in Section |2]basic definitions for timed systems and timed 
games. In Section [3] we recall the theory of robust timed specifications describe in ll20l and ifTSll . The 
main contribution of this paper comes in Section |4] with a counterexample refinement technique to 
measure the imprecision allowed by the specifications. We present in Section [5] a tool that implements 
this technique, and we demonstrate its performances in Section |6] 

2 Preliminaries 

We use N for the set of all non-negative integers, M for the set of all real numbers, and M>o (resp. M>o) 
for the non-negative (resp. strictly positive) subset of M. Rational numbers are denoted by Q, and their 
subsets are denoted analogously. 

In the framework of |[T5l . specifications and their implementations are semantically represented by 
Timed I/O Transition Systems (TIOTS) that are nothing more than timed transition systems with input 
and output modalities on transitions. Input represents the behaviours of the environment in which a 
specification is used, while output represents behaviours of the component itself. 

Definition 1 A Timed I/O Transition System is a tuple S = {St^jSQ,!.^, —5-^), where St^ is an infinite set 
of states, sq G is the initial state, = Zf ©Zf is a finite set of actions partitioned into inputs Zf and 
outputs r^, and — t-^: x (r'^UM>o) x is a transition relation. We write s^^^ when {s,a,s') E— )-'^ 
and use /?, o! and d to range over inputs, outputs and M>o, respectively. 

In what follows, we assume that any TIOTS satisfies the following conditions: 

• time determinism: whenever s-^^s' and s-^^s" then s' = s" 

• time reflexivity: s-^^s for all s £ St^ 

• time additivity: for all s,s" e St^ and all di,d2€ M>o we have s^^^^^^s" iff s%-^s' and s'^^s" 
for an s' G Sl^ 

A run p of a TIOTS S from its state is a sequence si-^^S2-^^ ■ ■ ■ ^^s^+i such that for all \ <i <n, 
Si^^Si+[ with a, € r'^UM>o. We write Runs(5i,5') for the set of runs of S starting in and Runs(5') 
for Runs(5o,5'). We write States(p) for the set of states reached in p, and if p is finite last(p) is the last 
state occurring in p. 

A TIOTS S is deterministic iff Va G Z"^ U M>o, whenever s-^^s' and s-^^s", then s' = s". It is input- 
enabled iff each of its states s G St^ is input-enabled: V/? G Zf . 3/ G St^.s^^s'. It is output urgent iff 
ys,s',s" est^ if s-^^s' and s^^s" then d = 0. Finally, S verifies the independent progress condition iff 
either {\/d>0.s^^) or (3t/G M>o. 3o! G if and /-^^). 

TIOTS are syntactically represented by Timed I/O Automata (TIOA). Let Clk be a finite set of clocks. 
A clock valuation over Clk is a mapping Clk i— )• M>o (thus M>q). Given a valuation u and d G M>o, we 
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write M + J for the valuation in which for each clock x € Clk we have (m + d) (x) = u{x)+ d. For A C Clk, 
we write u[X] for a valuation agreeing with m on clocks in Clk \ A, and mapping to the clocks in A. 

Let ^{Clk) denote all clock constraints cp generated by the grammar cp ::= x ~< k \ x — y ~< k \ (pA(p, 
where k£Q, x,y £ Clk and -< G {<,<,>,>}. For (p £ 0{Clk) and u £ R^q, we write u\= (pifu satisfies 
(p. Let l(p} denote the set of valuations {u £ M>q | u |= (p}. A subset Z C M^'^ is a zone if Z = {(pj for 
some (p £ 0{Clk). 

Definition 2 A Timed I/O Automaton w a tuple A = {Loc,qo, Clk,E,Act,Inv), where Loc is a finite set of 
locations, qa £ Loc is the initial location, Clk is a finite set of clocks, E C Loc x Act x (^{Clk) x 2^^^ x Loc 
is a set of edges. Act = Acti®Acto is a finite set of actions, partitioned into inputs (Act{) and outputs 
(Acto), Inv : Loc ^ ^(Clk) is a set of location invariants. 

We assume all TIOA include a universal location, denoted la, that accepts every input and can produce 
every output at any time. 

The semantics of a TIOA A = {Loc, qo, Clk, E, Act, Inv) is a TIOTS [AJsem = (Loc x R^'^,{qo,0), 
Act, — )•), where is a constant function mapping all clocks to zero, and is the largest transition relation 
generated by the following rules: 

• Each edge {q,a,(p,X,q') £ E gives rise to {q,u)-^{q' ,u') for each clock valuation u £ M^q such 
that u\= (p and u' = u[X i— )• 0] and u' |= Inv{q'). 

• Each location q £ Loc with a valuation u £ M>q gives rise to a transition (17, u)^{q, u + d) for each 
delay d £ M>o such that u + d\= Inv{q). 

Let X be a set of states in [AJsem and let a £ Act. The a-successors and a-predecessors of X are defined 
respectively by: 

Posta{X) = {{q' ,u') I 3{q,u) £X.{q,u)^{q' ,u')] 
PreAa{X) = {{q,u) \ ^{q' ,u') £X.{q,u)^{q' ,u')} 

The timed successors and timed predecessors of X are respectively defined by: 

X/'={{q,u + d) I {q,u) GX,(iGM>o} 
^v/= {{q-,u-d) I {q,u) £X,d £ M>o} 

Additionally, we defined the safe timed predecessors of X w.r.t states Y, that are the timed predecessors 
of X that avoids the states of Y along the path: 

Predt{X,Y) ={{q,u) \ 3d£R>o. {q,u)^{q,u + d) and {q,u + d) GXand 'id' £ [0,d\. {q,u + d') ^Y} 

Symbolic Abstractions Since TIOTSs are infinite size they cannot be directly manipulated by com- 
putations. Usually symbolic representations, such as region graphs [5J or zone graphs, are used as data 
structures that finitely represent semantics of TIOAs. We denote by Z = {q,Z) a symbolic state, where 
q £ Loc and Z C M^'^ is a zone. The zone graph is Ga = (2,a,Xo,— >), where 2,a is the set of reach- 
able zones. The initial state is defined by Xq = {{qQ,0)}/^ r\lInv{qo)}. For a £ Act, {q,Z)^^{q' ,Z') if 
{q,a,(p,X,q') £ E eindZ' = {{ZnM)[X]y nllnv{q')} . 



Example Figure |2]presents three small examples of TIOAs, that specifies the behaviour of a university 
composed by a coffee machine (Fig. [2a]l, a researcher (Fig. 2b I and an administration (Fig. 2c 1. 



L.-M. Traonouez 



21 



grant? 




(a) Coffee machine (b) Researcher (c) Administration 



Figure 2: Timed specifications with timed I/O automata 

Timed Games TIOAs are interpreted as two-player real-time games between the output player (the 
component) and the input player (the environment). The input plays with actions in Act{ and the output 
plays with actions in Act^. A strategy for a player is a function that defines her move at a certain time 
(either delaying or playing a controllable action). A strategy is called memoryless if the next move 
depends solely on the current state. We only consider memoryless strategies, as these suffice for safety 
games [1]. For simplicity, we only define strategies for the output player (i.e. output is the verifier). 
Definitions for the input player are obtained symmetrically. 

Definition 3 A memoryless strategy f„for the output player on the TIOA A is a partial function St^^^""'^ i— >■ 
Acto U {delay}, such that 

• Whenever fo{s) G Acto then s ° > s' for some s'. 

• Whenever fo[s) = delay then s^s" for some d >0 and state s", and fo{s") = delay. 

The game proceeds as a concurrent game between the two player, each proposing its own strategy. The 
restricted behaviour of the game defines the outcome of the strategies. 

Definition 4 Let IK be a TIOA, fo and f be two strategies over IK for the output and input player, respec- 
tively, and s be a state o/[[A]]sem- Outcome(5',/o,/,) is the subset of Runs{s, [AJsem) defined inductively 
by: 

• G 0utcome(5,/o,/;), 

• if p G Outcome{sjo,fi), then p' = p->/ G Outcome(5',/o,/,) if p' G Runs(i', [AJ 

sem) <^^d one the 

following conditions hold: 

1. a £ Acto and fo{\ast{p)) = a, 

2. a £ Acti and fi{\ast{p)) = a, 

3. a£ M>o andWd G [0,a[3s". last(p)->/' and^fk G {o,i}fk{s") = delay. 

• p G Outcome(5, /„,/;) ifp infinite and all its finite prefixes are in Outcome{s,fo,fi). 

A winning condition for a player in the TIOA A is a subset of Runs([[A]]sem)- In safety games the 
winning condition is to avoid a set Bad of "bad" states. Formally, the winning condition is W(Bad) = 
{p G Runs([[A]]sem) I States(p) n Bad = 0}. A strategy /„ for output is a winning strategy from state s 
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if and only if, for all strategy /, of input, Outcomeo(5,/o,/,) C W°(Bad). On the contrary, a strategy 
for input is a spoiling strategy of fo if and only if Outcome(s,/o,/,) ^ W°(Bad). A state s is winning 
for output if tliere exists a winning strategy from s. The game (A, W°(Bad)) is winning if and only if 
the initial state is winning. Solving this game is decidable ll2Tl[T2l[T5]| . We only consider safety games 
in this paper, and without lost of generahty we assume these "bad" states correspond to a set of entirely 
"bad" locations. 

Symbolic Timed Games: It is proved in lU that timed games can be solved using region strategies, 
where the players only need to remember the sequence of regions, instead of the sequence of states used 
in Definition [3] Consequently timed games can be solved through symbolic computations performed on 
the symbolic graph (either the region graph or the zone graph) using for instance the algorithm presented 
in [,12.|. To represent these strategies we defined symbolic strategies which apply on symbolic states: 

Definition 5 A symbolic strategy Fgfor the output player on the symbolic graph Ga = (2.a,^0;~^)> 
a function Z i— t- Acto U {delay}, where Z is a partition of the reachable states that refines Z/\, such that 
whenever Fo{{q,Z)) GAc?o then \/u £ Z.(q,u)-^ — ■ — >{q' ,u') for some (q',u'). 

We remark that a symbolic strategy Fo corresponds to the set of strategies such that whenever Fa{{q,Z)) = 
a, then 3u G Z.fo{{q,u)) = a. For {q,u) € [AJsem, if 3Z.m G Z and F{{q,Z)) G Ac? U {delay}, we define 
by extension 7^((^,m)) = F{{q,Z)). For a symbolic stateZ we define the timed successors of Z restricted 
by F by: 

]^''={{q,u + d) I {q,u) ex,d eR>o,yd' e [0,d]. 

F{{q,u + d'))=F{{q,u + d))y F{{q,u + d')) = {delay}} 

3 Robust Timed Specifications 

We summarize in this section the theory of robust timed specifications presented in EOl . It extends the 
theory of timed specifications based on TIOA presented in I.15J . 

3.1 Basics of the Timed Specification Theory 

In |[T5l specifications and implementations are both represented by TIOAs satisfying additional condi- 
tions: 

Definition 6 A specification S is a TIOA whose semantics [SJsem i^ deterministic and input-enabled. 

Definition 7 An implementation I is a specification whose semantics [I Jsem additionally verifies the out- 
put urgency and the independent progress conditions. 

In specification theories, a refinement relation plays a central role. It allows to compare specifications, 
and to relate implementations to specifications. In lITSl . as well as in ||2l|3l[lll, refinement is defined in 
the style of alternating ( timed) simulation. Formally, given two specifications S and T, we say that S 
refines T, written S < T, if and only if [SJsem is simulated by [[Tjsem- 

Definition 8 An implementation I satisfies a specification S, denoted I sat S, if and only if \ <S 
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A specification S is consistent if and only if there exists at least one implementation that satisfies S. 

A complete specification theory includes several operators to compose specifications. The parallel 
composition of two specifications S and T (denoted S || T) is defined by the product of the two TIOAs 
where components synchronize on common inputs/outputs. Additional operators include conjunction 
and quotient. Their definition can be found in ^l^. 

The parallel composition may introduce some incompatible states in the product, i.e. states in which 
the two components cannot work together. With the input-enableness hypothesis no "model-related" 
errors can occurs when computing the product. However specific incompatible states can be introduced 
in the models, by using for instance the universal location to specify an unpredictable behaviour of 
the component. A compatible environment for the two components allows to avoid these error states. 
We follow the optimistic approach of L2J, i.e. two specifications can be composed if there exists at least 
one environment in which they can work together. Formally, given a set und of undesirable states, we 
say that a specification S is useful if there exists an environment E such that \S \\ E]],^^ n und = 0. Two 
specifications S and T are compatible if and only if their product S || T is useful. 

3.2 Strategies in Timed Games as Operators on Timed Specifications 

The specification theory provides a game-based methodology in which winning strategies are used to 
synthesize implementations and compatible environments. Therefore, it determines consistency and 
usefulness of specifications. 

In the consistency game the output player tries to verify a safety condition, i.e. avoid a set of immedi- 
ate inconsistent sates err^ C . Those are the sates that violate the independent progress condition: 

err = {s\{^d.s-^) and V(i Vo ! Vs'. s^s imphes s -/^ } 

If output has a winning strategy in the timed game (S, W°{err^)), then one can synthesize from an 
implementation I of S. 

On the contr ary in the usefulness game the input player tries to avoid the set of incompatible states. If 
there exists a winning strategy /,• in the game (S, VK°(und^)), it provides a compatible environment for S. 
This allows to prove usefulness of specifications and therefore compatibility between two specifications. 

3.3 Robust Implementations 

An essential requirement for an implementation is to be realizable on a physical hardware, but this re- 
quires admitting small imprecisions characteristic for physical components (computer hardware, sensors 
and actuators). The requirement of realizability has already been linked to the robustness problem in 
Il25l in the context of model checking. In specification theories the small deficiencies of hardware can 
be reflected in a strengthened satisfaction relation, which introduces small perturbations to the timing of 
implementation actions, before they are checked against the requirements of a specification — ensuring 
that the implementation satisfies the specification even if its behaviour is perturbed. 

We first formalize the concept of perturbation. Let (p G <P{Clk) be a guard over the set of clocks Clk, 
let X G Clk and k £Q. The enlarged guard [9] a is constructed according to the following rules: 

• Any term x ^ k of (p with -<€{<,<} is replaced by ;c -< k+A 

• Any term x>- k of (p with ^ €{>,>} is replaced by x ;^ k—A 
Similarly, the restricted guard [(P\a is using the two following rules: 

• Any term x ^ kof (p with -<€{<,<} is replaced by x -< k—A 
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• Any term x>- k of (p with )^ G {>, >} is replaced by ;c ;^ k+A. 

Notice that for a for a clock valuation u and a guard cp, we have that u \= (p implies u \= [<p]a. and 
u 1= [(p\a implies u |= (p, and [[(pIaJa = [["PJaIa = <P- 

We lift the perturbation to implementation TIOAs. Given a jitter A, the perturbation means a A- 
enlargement of invariants and of output edge guards. Guards on the input edges are restricted by A: 

Definition 9 For an implementation \ = {Loc,qo,Clk,E,Act,Inv) and A^Q^q, f/je A-perturbation o/ I is 
the TIOA Ia = {Loc,qo,Clk,E' ,Act,Inv'), such that: 

• Every edge {q,o\,(p,X,q') £E is replaced by {q,o\, [<p]a,A,<7') G E', 

• Every edge {q, /?, (p,X,q')£E is replaced by (q, /?, [(pj a, A , q') £ E', 

• yq £ Loc.Inv'{q) = [/?iv(^)]a, 

• V<7 G Loc.yH £Acti there exists and edge {q,il,(pu,®,ln) £E' with (pa = ~'(V(^.!?.(p.A,^')e£' L*PJ a)- 

Ia is not necessarily action deterministic, as output guards are enlarged. However it is input-enabled, 
since by construction (last case in previous definition), any input not accepted after restricting input 
guards is redirected to the universal location Also Iq equals I. 

In a similar manner, for a specification S we define [S]^ the TIOA where all output edges and 
invariants have been enlarged. 

Definition 10 An implementation I robustly satisfies a specification Sforagiven delay A G Q>o, denoted 
I satA S, if and only Ia < S 

A specification is A-robust consistent if and only if it admits at least one A-robust implementation. A 
specification is A-robust useful is there exists an environment E, such that [E] ^ || S avoids the errors states 
und^. As previously two specifications S and T are A-robust compatible if and only if their composition 
is A-robust useful. The next property shows that robustness is monotonic for different values of the delay: 

Property 1 (Monotonicity) Given two delays < Ai < A2 and an implementation \: I < Iai < Ia2 There- 
fore, if a specification S is A2-robust consistent, then S is also Ai-robust consistent. Moreover ifS is 
A2-robust useful, then S is A\-robust useful. 

3.4 Robust Timed Games for Timed Specifications 

Robust timed games add a robustness objective to safety games. They can be used to verify robust 
consistency and robust compatibility, as it was done in the non-robust cases. We have presented in f^O] a 
notion of robust strategies for timed games, and we show how to synthesize robust implementations and 
robust environments from these strategies. We finally give a construction of a robust game automaton, 
whose original idea comes from llT3l . that transforms the original game. It is shown that finding strategies 
in this automaton, using classical timed games algorithms, permits to synthesize robust strategies in the 
original game. In this paper we always use with this construction to solve robust timed games. Therefore 
we only recall its definition below: 

Definition 11 Let (A, VK°(Bad)) be a timed game, where A = {Loc,qo,Clk,E ,Act,Inv) and Bad G Loc, 
and let A G Q>o- The robust game automaton A^,^ = {Loc, q^, ClkVJ {y} ,E , Act VJ {roh} ,lnv) uses an 
additional clock y, and additional input action rob G Actj, and is constructed according to the following 
rules: 
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• Loc C Loc, and for each location q G Loc and each edge e = {q,o\,^,X,q') G E, two locations q^ 
and qe are added in Loc. The invariant of q is unchanged; the invariants of q^ and q^ are y < A. 

• Each edge e' = {q, il,(p,X ,q') £ E gives rise to the following edges in E: 
{q,il,(p,X,q'), {qf,n,(p,X,q') and {q^ ,i7,(p,X,q'). 

• Each edge e = {q,o\,(p,X,q') G E gives rise to the following edges in E: 
{q,o\,(p,{y},q^), {q^ ,o\,{y = A},{y},ql), {q"_,rob,(p,X,q'), {q^ ,roh,(p,X,q'), 
(<7f, rob, -19,0, Bad) and (<7f ,rob,-i<p,0,Bad)[j 

The construction is demonstrated in Fig. [3] The ideas behind the construction are that whenever output 
want to fire a transition {q,o\,(po,Xo,qi) in the original automaton from a state {q,u) after elapsing d 
time units, this takes several steps in the robust automaton: 

1. Output proposes to play action o! at time d with the following sequence of transitions: 

{q,u) -^^^ (<7, M + J — A) (g" , M + (i — A) A (g" ,u + d)^{q^ ,u + d) 

Note that this forbid output to play any action with a reaction time smaller than A, and consequently 
this forbids Zeno strategies. 

2. Input can perturb this move with d' < A, by choosing either a smaller delay: 

{q",u + d-A)^{q",u + d-A + d')^{qi,u + d-A + d') 

or a greater delay: 

{q^ ,u + d)—^ [q^ ,u + d + d') {qi,u + d + d') 

3. At any time in locations q,q'^ and q^ , the original input edge (^,/?,<p;,A;,^i) is still available. 

4. Output is implicitly forbidden to play a move that could not be perturbed since input will immedi- 
ately win if the guard % is exceeded. 

In II20I . we prove that this construction is a sound technique to solve robust timed games and check 
robust consistency and robust compatibility. 

4 Counter Strategy Refinement For Parametric Robustness 

In previous section we have recalled our notions of robustness for a fixed delay. In [20l we additionally 
study the properties of these perturbations with respect to the different operators in the specification 
theory. In this paper we now consider the parametric problems, i.e. determining the existence of a non- 
null delay. More precisely due to the monotonicity properties we would like to evaluate the greatest 
possible value of the perturbation. The robustness problems that we consider in this section are the 
parametric extension of previously defined problems: 

• Robust Consistency: Given a specification S, determine the greatest value of A such that S is 
A-robust consistent. 

• Robust Usefulness: Given a specification S, determine the greatest value of A such that S is A- 
robust useful. 

'Technically, since in a TIOA transitions guards must be convex, the last two transitions may be split into several copies, 
one for each convex guard in^cp. 
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rob, 




(a) TIOA A (b) Robust game automaton Af^j, 

Figure 3: Construction of the robust game automaton A^,, from an original automaton A. 



4.1 Parametric Timed Games 

When we consider A as a free parameter, the robust game automaton construction of Section [3] defines 
a Parametric Timed I/O Automata, in a similar manner as Parametric Timed Automata are defined in 
ll6l [T8]| . We denote by <I>a(CZ^) the set of parametric guards with parameter A over a set of clocks Clk. 
Parametric guards in <t>i^{Clk) are generated by the following grammar (p ::= x \ x—y ~< I \ (pA(p, 
where x,y^Clk, -< G {<,<,>,>} and l = a + b*Aisa. linear expression such that a,b ^ Q. 

Definition 12 A Parametric TIOA with parameter A, is a TIOA A such that guards and invariants are 
replaced by parametric guards. 

For a given value 8 G Q>o, we define the non-parametric game Ag obtained by replacing each occurrence 
of the parameter A in the parametric guards of A by the value 5. 

A parametric symbolic state X is a set of triple {q,u,5), where 5 is a value of the parameter A and 
{q, u) is a state in [[Agjsem- Operations on symbolic states can be extended to parametric symbolic states, 
such that X/-^, X^^ ,PPosta{X), PPredo(X) and PPredf(X,F) stands for the extensions of previously 
defined non-parametric operations. Formally: 

X/'''={{q,u + d,5) I GX,t/GM>o} 
X^^={{q,u-d,d) I iq,u,5) eX,d G M>o} 
PPost„(X) ={{q',u',d) I 3{q,u,6)eX.{q,u)^^'{q',u')} 
PPred„(X) ={{q,u,5) \ 3{q' ,u' ,5) eX.{q,u)^'^'{q' ,u')} 
PPred,(X,y) ={{q,u,5) \ 3d £R>Q.{q,u)M^{q,u + d) 

and {q,u + d) GX and G [0,d].{q,u + d' ,5) 07} 

4.2 Parametric Robustness Evaluation 

Solving the robustness problems for any value of A would in general require to solve a parametric timed 
game. This problem is undecidable as it has been shown that parametric model-checking problem is 
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undecidable (6). In this paper, we propose to compute an approximation of the maximum delay per- 
turbation. Due to the monotonicity of the robustness problems (Property [T]), we can apply an iterative 
evaluation procedure that searches for the maximum value until it belongs within a given precision inter- 
val. This basic procedure is describe in Algorithm [T] for the parametric game (Af„b'^°(Bad)) for output 
(again it appUes symmetrically to input). 



Algorithm 1: Evaluation of parametric robustness 
Input: (A^^, W°{Bad)): parametric robust timed game, 
Amax- initial maximum value, 
e: precision 

Output: Agood- maximum admissible value of A 

1 begin 

2 Agood ^ 

3 Alfud i Afflux 

4 while Abad - Agood > s do 

^good 1 Abad) 

6 end 

7 return Agood 

8 end 



The algorithm assumes that the game (Aj?^^^, W°(Bad)) is won, whereas the game (A^'^"' , lV°(Bad)) is 
lost. It verifies two invariants: Agood stores the maximum value known to be correct for the robust game; 
Abad Stores the minimum value known to be incorrect with precision e. At the heart of the algorithm the 
procedure Refine Values plays the game for a chosen value, and update the variables Agood and Abad 
according to the result. Termination is ensure if each iteration reduces the length of the interval by some 
fixed minimum amount. 

Different algorithms can be used to implement Ref ineValues. A basic method is binary search. In 
that case Ref ineValues chooses the middle point A„„y of the interval [Agood, Abad], and plays the game 
(A^'^'', VK°(Bad)). According to the results, it updates either A^ood or Abad- This algorithm has several 
drawbacks. First, the number of games it needs to solve heavily depends on the precision parameter. 
Second, depending on the initial maximum value a high proportion of the games played may be winning, 
and in that case the complete symbolic graph of the model must be explored. 

4.3 Counter Strategy Refinement 

We propose an alternative method that follows the principle of counterexample-guided abstraction re- 
finement [14]. In our settings, counterexamples are spoiling strategies computed when the game is lost. 
We analyse these strategies in order to refine the value of A. Using this technique only the last game is 
winning. The different steps are: 

1 . Play the game ( Afj-^" , IV° ( Bad ) ) . 

2. If the game is won, return the values {Abad, Abad)- 

3. Else extract a counter strategy Ft for the input player. 

4. Replay F,- on the parametric game using Algorithm[2| it returns a value A„„„. 

5. If Affiin is only an infimum and Abad — Amin > £, return the values {Agood, Amin)- 
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6. Else return the values (Agooj, A„„„ — £). 

The goal of Algorithm |2] is to replay the spoiling strategy Fj on the parametric game and compute 
the maximum value of A such that this strategy becomes infeasible. It takes as inputs the parametric 
game automaton A^{,, the symbolic graph {Z^'"' ,Xq,^) computed for the game (A^'^"', W°(Bad)), and 
the spoiling strategy Fi. It returns the infimum of the values A^^d such that Fj is a spoiling strategy in the 
game (A^*^"^ W°(Bad)). 

The algorithm is similar to the timed game algorithm proposed in fTT\ and implemented in the tool 
TIGA [8J. However only the backward analysis is applied on parametric symbolic states, starting from 
the "bad" locations. Additionally the algorithm only explores the states that belongs to the outcome of 
Fi. Since F, is a spoiling strategy in a safety game, its outcome contains a set of finite runs that eventually 
reach the "bad" locations. This ensures that a backward exploration restricted to this set of finite runs 
will terminate. Formally, we define the outcome of symbolic spoiling strategy F,- for input. Outcome(/^) 
is the subset of runs in the symbolic graph defined inductively by: 

• (^o,5a^^)GOutcome(/^), 

• if p G Outcome(F) and last(p) = {q,Z), thenp' = p->(^',Z') G Outcome(F) ii3{q,a,(p,X,q') G 
E and one of the following condition holds: 

1. either a G Acti and 3Z".F,(Z") = a and Z' = Post„(ZnZ'V^' 

2. or a G Act„ and 3Z" .Fi{Z") = delay and Z' = Post„(ZnZ")^^", 

The backward exploration ends when the set of winning states PWin[Xo\ contains the initial state. Then, 
the projection [PWinlXo] nO)|A computes the set of all the valuations of A such that the strategy F,- is 
winning. The algorithm returns the infimum of these valuations. 

5 Implementation 

The specification theory described in |T5l is implemented in the tool ECDAR fT6l. In order to experiment 
the methods proposed in this paper, we have built a prototype in Python that reimplements the main 
functionalities of ECDAR and support the analysis of the robustness of timed specifications 1231 . Inside 
this tool, the theory presented in Section[3]is implemented as a set of model transformations: 

1. Computation of I a, the A-perturbation of an implementation I for some A G Q>o- 

2. Computation of the robust game automaton A^^. 

3. In order to add rational perturbations on the models Ia and A^i^ the tool scales all the constants in 
the TIOA. 

4. Finally we transform the TIOA of a specification into a specific consistency game automaton (resp. 
usefulness game automaton), such that all non A-robust consistent (resp. non A-robust useful) 
states are observed by a single location. 

By combining these transformations we can check in the tool the three problems: A-robust satisfaction, A- 
consistency and A-usefulness. The algorithms used are respectively the alternating simulation algorithm 
presented in (lT\ and the on-the-fly timed games algorithm presented in [ll]. 

To solve the parametric robustness problems we have implemented the heuristic presented in Sec- 
tion |4] that approximates the maximum solution through a counter strategy refinement. We have also 
implemented a binary search heuristic in order to compare the performances of the two approaches. In 
Algorithm |2j operations on parametric symbolic states are handled with the Parma Polyhedra Library 
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Algorithm 2: Counter strategy refinement 



Input: (A^ij, lV°(Bad)): parametric robust timed game, 

(2.^"™',Xo,-^): symbolic graph computed for the game (Af™" , W°(Bad)) 
Ff. spoiling strategy for input in the game (A^'^" , lV°(Bad)) 
Output: Infimum of Ahad values such that Fi is a spoiling strategy in (A^'^"', W°(Bad)) 
1 begin 

/* Initialisation */ 
Waiting ^ 
forX = (^,Z) G Za do 
if g G Bad then 

PWin[X] ^ llnv{q)j 

Waiting ^ WaitingLl{Y \ Bp.p^Y^X £ Outcome(i^)} 

else 

I PWin[X]^® 
end 

end 

/* Backward exploration */ 
while {Waiting / 0) A PWin[Xo]) do 
X = {q,Z) <r- pop{Waiting) 

PBad* ^ ^llnv{q)j U (My ) y PPreda{Win[Y])) 
PGood* ^ Ux^^^^y PPred«(pw(y)]l \PWin[Y]) 
PWin[X] ^ PPred,{PBad*, PGood* \PBad*) 

Waiting ^ WaitingLl{Y \ Bp.p^Y^X G Outcome(i^)} 

end 

return M\n\m\ze{{PWin[Xo] nQ)u) 



2 




3 




4 




5 




6 




7 




8 




9 




10 




11 




12 




13 




14 




15 




16 




17 




18 




19 end 



ITTI . We shall remark that using polyhedra increases the complexity of computations compared to Differ- 
ence Bound Matrices (DBMs), but this is necessary due to the form of the parametric constraints that are 
beyond the scope of classical DBMs. This not so much a problem in our approach as parametric anal- 
ysis is limited to spoiling strategies whose size is kept as small as possible. Nevertheless an interesting 
improvement can be to use Parametric DBMs as presented in fW\. 



6 Experiments 

We evaluate the performances of the tool to solve the parametric robustness problems on two academic 
examples. We compare in these experiments the Counter strategy Refinement (CR) approach with the 
Binary Search (BS) method. We presents benchmarks results for different values of the initial parameters 
A,nax and e. 
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48 
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14.1s 


12.1s 


12.5s 


Us 


14.1s 


19.6s 
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19.4s 


M|| R 


44 


152 


10s 


15.5s 


9.81s 


15.8s 


10.3s 


22.9s 


9.78s 


29.2s 


M||R||A 


180 


803 


54.4s 


56.3s 


54.6s 


112s 


55s 


58.8s 


55.7s 


216s 



Table 1 : Robust consistency of the university specifications 



Game size e = 0.1 e = 0.1 e = 0.01 e = 0.01 

Model loc. trans. CR BS CR BS CR BS CR BS 

M II R 21 90 2.64s 4.34s 1.72s 4.02s 2.64s 5.5s 1.72s 5.45s 

M||R||A 75 399 48s 65s 42.7s 74.2s 48.2s 78.1s 42.9s 120s 



Table 2: Robust compatibility between the university specifications 



6.1 Specification of a university 

The toy examples featured in this paper are extracted from lITSll . They describe the overall specification 



of a university, composed by three specifications: the coffee machine (M) of Fif. 2a the researcher 



(R) of Fig. pbl and the administration (A) of Fif. 2c We study the robust consistency and the robust 



compatibility of these specifications and their parallel composition. The results are presented in Tables [T] 
and |2] The column game size displays the size of the robust game automaton used in the analysis in 
terms of locations (loc.) and transitions (trans.). The next columns display the time spent to compute 
the maximum perturbation with different initial conditions. The analysis of these results first shows that 
the Counter strategy Refinement method is almost independent from the two initial parameters A^ax and 
e. This is not the case for Binary Search: the precision e influences the number of games that must be 
solved, and the choice of Amax change the proportion of games that are winning. Comparing the results of 
the two methods shows that for most of the cases, especially the more complex one, the Counter strategy 
Refinement approach is more efficient. 



6.2 Specification of a Milner Scheduler 

The second experiment studies a real-time version of Milner's scheduler previously introduced in |[T6]| . 
The model consists in a ring of nodes. Each nodes receives a start signal from the previous node to 
perform some work and in the mean time forward the token to the next node within a given time interval. 
We check the robust consistency of this model for different values of N and different initial parameters. 
The results are displayed in Table [3] Like in previous experiment the results show that the Counter 
strategy Refinement method is independent form the initial conditions and in general more efficient than 
Binary Search. 
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A,„„_v = 30 A„ax = 3 1 A,„„_,- = 30 A,„„ = 3 1 

Game size e = 0.5 e = 0.5 e = 0.1 e = 0.1 

Model loc. trans. CR BS CR BS CR BS CR BS 
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35 


0.97s 


0.68s 


1.09s 


0.72s 


0.97s 


1.03s 


1.09s 


1.09s 


2 Nodes 


81 


344 


10.7s 


10.3s 


11.2s 


12.6s 


10.5s 


15.8s 


11. Is 


19.4s 


3 Nodes 


449 


2640 


lm58 


2m25 


2m06 


2m26 


lm57 


3m39 


2m05 


3m45 


4 Nodes 


2305 


17152 


17m38 


24m 12 


17m38 


27m46 


17m41 


37m57 


17m37 


41m50 



Table 3: Robust consistency of Milner's scheduler nodes 



6.3 Interpretation 

The performances of the Binary Search method depends on the number of games that are solved and on 
the outcome of these games. Games that are winning (or games that are losing but with a value of A close 
to the optimum value) are harder to solve, since in these cases the (almost) complete symbolic state space 
must be explored. Reducing the precision parameter e implies that more games must be solved close to 
the optimum value, and therefore it increases the time of analysis. Moreover, changing, even slightly, the 
initial maximum value A,„ax may change the number of games, but most important the outcome of these 
games, and therefore the proportion of winning games. For instance in the last experiment, the expected 
result is 7.5. With an initial value of 30 the bisections performed by the Binary Search method arbitrarily 
imply that only 1 game is winning out of 9 (for £ = 0.1). With 31 this proportion is 6 out of 9, which 
increases the complexity of the analysis. 

With the Counter strategy Refinement approach proposed in this paper only losing games are played 
until one is winning. The choice of A,„ax modifies the number of games that are solved, but in general 
the first games for large values of A are easily solved. Consequently, the choice of A^ax shows in the 
experiments almost no impact on the performances. With the parametric approach the parameter e is 
only used when the value A„„„ computed by the refinement process is the minimum of the bad values. In 
that case the next iteration plays the game with the value A„„>, — e. The experiments shows this has no 
impact on the performances. 



7 Conclusion 

We have studied the parametric robustness problems for timed specifications. This works is based on the 
theory of timed specifications of |[T5l . It extends the theory of robust specifications of [20], which was 
limited to fix values for the delays. More precisely, we evaluate through approximation techniques the 
maximum imprecision allowed by specifications. To this end, we propose a counterexample refinement 
approach that analyses spoiling strategies in timed games. 

This technique has been implemented in a prototype tool and its performances have been evaluated 
during two experiments. The results show that our counterexample refinement technique offers in most 
cases better and more robust (w.r.t initial conditions) performances than the binary search technique. 

In a future version of our tool, we would like to apply the counterexample refinement approach to 
the alternating simulation game, in order to solve the parametric satisfaction problem for an existing 
implementation. We will also try to improve the performances; in particular for analysing parametric 
symbolic states. An interesting approach could be to replace polyhedra by parametric DBMs. 



32 



Counterexample Refinement for Robust Timed Specifications 



References 

[1] Luca de Alfaro, Marco Faella, Thomas Henzinger, Rupak Majumdar & Marielle Stoelinga (2003): The 
Element of Surprise in Timed Games. In: CONCUR, LNCS 2761, Springer, pp. 144-158, doi jl0.1007/978'-| 
13-540-45 187-7_9 

[2] Luca de Alfaro & Thomas A. Henzinger (2001): Interface automata. In: ESEC / SIGSOFT FSE, pp. 109- 
120, doi: 10.1 145/503209.503226 

[3] Luca de Alfaro & Thomas A. Henzinger (2004): Interface-Based Design. In: In Engineering Theories of 
Software Intensive Systems, Marlctoberdorf Sununer School, doi j 10. 1 . 1 .77.49201 

[4] Luca de Alfaro, Thomas A. Henzinger & Marielle Stoelinga (2002): Timed Interfaces. In: EMSOFT, LNCS 
2491, Springer, pp. 108-122, doi: 10.1007/3-540-45828-X_9 

[5] Rajeev Alur & David L. Dill (1994): A Theory of Tuned Automata. Theor Comput. Sci. 126(2), pp. 183-235, 
doi: 10. 1 01 6/ 03043975 (94)900 1 0-8 

[6] Rajeev Alur, Thomas A. Henzinger & Moshe Y. Vardi (1993): Parametric real-time reasoning. In: STOC, 
pp. 592-601, doi jlO.1145/167088.167242 

[7] R. Bagnara, P. M. Hill & E. Zaffanella (2008): The Parma Polyhedra Library: Toward a Complete Set of 
Numerical Abstractions for the Analysis and Verification of Hardware and Software Systems. Science of 
Computer Programming 72(1-2), pp. 3-21, doi ]10.1016/j.scico.2007.08.001[ 

[8] Gerd Behrmann, Agnes Cougnard, Alexandre David, Emmanuel Fleury, Kim Guldstrand Larsen & Didier 
Lime (2007): UPPAAL-Tiga: Time for Playing Games! In: CAV, LNCS 4590, Springer, pp. 121-125, 
doi:10.1007/978-3-540-73368-3_14 

[9] Gerd Behrmann, Alexandre David, Kim Guldstxand Larsen, Paul Pettersson & Wang Yi (201 1): Developing 
UPPAAL over 15 years. Softw., Pract. Exper 41(2), pp. 133-142, doi fl0.1002/spe.l006| 

[10] Patricia Bouyer, Nicolas Markey & Ocan Sankur (2011): Robust Model-Checking of Timed Automata via 
Pumping in Channel /Machines. In: FORMATS, LNCS 6919, Springer, Aalborg, Denmark, pp. 97-112, 
doi; 10. 1007/978-3-642-243 1 0-3_ 8| 

[11] Peter Bulychev, Thomas Chatain, Alexandre David & Kim G. Larsen (2009): Efficient on-the-fiy Algo- 
rithm for Checking Alternating Timed Simulation. In: FORMATS, LNCS 5813, Springer, pp. 73-87, 
doi: 10.1007/978-3-642-04368-0_8 

[12] Franck Cassez, Alexandre David, Emmanuel Fleury, Kim G. Larsen & Didier Lime (2005): Efficient On- 
the-Fly Algorithms for the Analysis of Timed Games. In: CONCUR, LNCS 3653, Springer, pp. 66-80, 
doi: 10. 1007/1 1539452jj 

[13] Krishnendu Chatterjee, Thomas A. Henzinger & Vinayak S. Prabhu (2008): Timed Parity Games: Complexity 
and Robustness. In: FORMATS, LNCS 5215, Springer, Saint Malo, France, pp. 124-140, doi : 10.1007/978-j 
|3-540-85778-5_10| 

[14] Edmund M. Clarke, Orna Grumberg, Somesh Jha, Yuan Lu & Helmut Veith (2000): Counterexample-Guided 
Abstraction Refinement. In: CAV, LNCS 1855, Springer, pp. 154-169, doi ^l0.1007/10722167_15, 

[15] Alexandre David, Kim G. Larsen, Axel Legay, UMk Nyman & Andrzej W^sowski (2010): Timed 
I/O automata: a complete specification theory for real-time systems. In: HSCC, ACM, pp. 91-100, 
do H10rri45/1755952.1755967l 

[16] Alexandre David, Kim Guldstrand Larsen, Axel Legay, Ulrik Nyman & Andrzej W^sowski (2010): ECDAR: 
An Environment for Compositional Design and Analysis of Real Time Systems. In: ATVA, LNCS 6252, 
Springer, Singapore, pp. 365-370, doi: 10.1007/978-3-642-15643-4_29 

[17] Thomas A. Henzinger, Xavier Nicollin, Joseph Sifakis & Sergio Yovine (1994): Symbolic Model Checking 
for Real-Time Systems. Int Comput. 111(2), pp. 193-244, doi: 10.1006 /incoT994.1045| 



L.-M. Traonouez 



33 



[18] Thomas Hune, Judi Romijn, Marielle Stoelinga & Frits W. Vaandrager (2002): Linear parametric 
model checking of timed automata. J. Log. Algebr. Program. 52-53, pp. 183-220, doi j 10. 1016/S 1567-| 
8326(02)00037-1 

[19] Remi Jaubert & Pierre- Alain Reynier (201 1): Quantitative Robustness Analysis of Flat Timed Automata. In: 
FOSSACS, LNCS 6604, Springer, pp. 229-244, doi: 10. 1007/978-3-642-l9805-2_16 

[20] Kim G. Larsen, Axel Legay, Louis-Marie Traonouez & Andrzej Wasowski (2011): Robust Specification 
of Real Time Components. In: FORMATS, LNCS 6919, Springer, Aalborg, Denmark, pp. 129-144, 
doi |10.1007/978-3-642-243 10^101 

[21] Oded Maler, Amir Pnueli & Joseph Sifakis (1995): On the Synthesis of Discrete Controllers for Timed 
Systems (An Extended Abstract), hi: STACS, pp. 229-242, doi: 10.1.1.164.8800 

[22] Anuj Puri (1998): Dynamical properties of timed automata. In: Formal Techniques in Real-Time and Fault- 
Tolerant Systems, LNCS 1486, Springer, pp. 210-227, doi jKj.l00 7/BFb005 5349| 
[23] Python implementation of ECDAR: PyECDAR. https : //iaunchpad . net/pyecdar' 

[24] Martin Wulf, Laurent Doyen, Nicolas Markey & Jean-Frangois Raskin (2008): Robust safety of timed au- 
tomata. Formal Methods in System Design 33, pp. 45-84, doi: 10.1007/sl0703-008-0056-7 

[25] Martin De Wulf, Laurent Doyen & Jean-Fran9ois Raskin (2005): Almost ASAP semantics: from timed models 
to timed implementations. Formal Aspects of Computing 17(3), pp. 319-341, doi: 10.1007/s00165-005-0067-| 
l8| 



